Trojaner-Board - Log-Analyse erbeten - TR\Agent.CP & TR\Stervice.C

Trojaner-Board (https://www.trojaner-board.de/)

- Log-Analyse und Auswertung (https://www.trojaner-board.de/log-analyse-auswertung/)

- - Log-Analyse erbeten - TR\Agent.CP & TR\Stervice.C (https://www.trojaner-board.de/18677-log-analyse-erbeten-tr-agent-cp-tr-stervice-c.html)

Log-Analyse erbeten - TR\Agent.CP & TR\Stervice.C

Hallo,

danke für die Möglichkeit das Hijackthis Log-File analysieren zu lassen. Die Virenscanner, die ich bisher versucht habe, konnten das Problem leider nicht lösen. AntiVir etwa findet regelmässig die Trojaner TR\Agent.CP & TR\<Stervice.C kann diese aber nicht endgültig löschen.

Betroffen sind vorallem das System32 und das Windows Verzeichnis sowie folgende Dateien: qgrxvn.exe, svcproc.exe, drpmon.dll, kuegfd.exe, poller.exe, A0267510.exe, fajtkwnef.exe usw.

Hier mein Log-File mit der Bitte um Auswertung:

Logfile of HijackThis v1.99.1
Scan saved at 20:22:01, on 06.06.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\Programme\FSI\F-Prot\fpavupdm.exe
C:\Programme\Virus Chaser\Spidernt.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.exe
C:\Programme\Virus Chaser\Spiderui.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\MSN Apps\Updater\01.02.3000.1001\de-at\msnappau.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\DOKUME~1\**\LOKALE~1\Temp\Temporäres Verzeichnis 3 für hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = h**p://www.gmx.net/de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Programme\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Programme\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-at\msntb.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programme\MSN Apps\MSN Toolbar\01.02.4000.1001\de-at\msntb.dll
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O8 - Extra context menu item: Download with GetRight - C:\Programme\GetRight\GRdownload.htm
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Programme\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - h**p://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - h**p://a1540.g.akamai.net/7/1540/52/20020909/qtinstall.info.apple.com/sikes/de/win/QuickTimeInstaller.exe
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - h**p://sib1.od2.com/common/Member/ClientInstall/10.01.0004/OCI/setup.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - h**p://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} - h**p://www.180searchassistant.com/180saax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - h**p://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - h**p://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - h**p://www.photoprintonline.com/upload/XUpload.ocx
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Programme\AVPersonal\AVGUARD.EXE
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Programme\AVPersonal\AVWUPSRV.EXE
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Programme\FSI\F-Prot\fpavupdm.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Programme\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Virus Chaser Spider NT (spidernt) - New Technology Wave Inc. - C:\Programme\Virus Chaser\Spidernt.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Grüße aus Tirol,

Filou

Überprüfe dein System zunächst mit Escan .
Teile uns die Ergebnisse mit.

Ergebnis von eScan

Hier das Ergebnis der Analyse mit eScan:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Tue Jun 07 20:15:18 2005 => System found infected with Bargain Buddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e2468})! Action taken: No Action Taken.
Tue Jun 07 20:15:18 2005 => System found infected with Bargain Buddy Spyware/Adware ({c6906a23-4717-4e1f-b6fd-f06ebed15678})! Action taken: No Action Taken.
Tue Jun 07 20:15:18 2005 => System found infected with Bargain Buddy Spyware/Adware ({8eee58d5-130e-4cbd-9c83-35a0564e5678})! Action taken: No Action Taken.
Tue Jun 07 20:15:19 2005 => System found infected with Zango Spyware/Adware ({99410cde-6f16-42ce-9d49-3807f78f0287})! Action taken: No Action Taken.
Tue Jun 07 20:15:19 2005 => System found infected with SearchEXE Spyware/Adware ({002F4E27-B273-4FA5-ADFC-1FB9ED210B37})! Action taken: No Action Taken.
Tue Jun 07 20:15:19 2005 => System found infected with MyBar Spyware/Adware ({0494d0d9-f8e0-41ad-92a3-14154ece70ac})! Action taken: No Action Taken.
Tue Jun 07 20:15:24 2005 => System found infected with altnet Spyware/Adware (smdat32a.sys)! Action taken: No Action Taken.
Tue Jun 07 20:15:24 2005 => System found infected with eZula Spyware/Adware (ezstub.exe)! Action taken: No Action Taken.
Tue Jun 07 20:16:33 2005 => System found infected with AltnetBDE Spyware/Adware (altnet signing module.exe)! Action taken: No Action Taken.
Tue Jun 07 20:16:33 2005 => System found infected with AltnetBDE Spyware/Adware (adm.exe)! Action taken: No Action Taken.
Tue Jun 07 20:16:33 2005 => System found infected with AdDestroyer Spyware/Adware (swrt01.dll)! Action taken: No Action Taken.
Tue Jun 07 21:09:55 2005 => Scanning Folder: C:\Programme\AVPersonal\INFECTED\*.*
Tue Jun 07 21:09:56 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\A0245090.EXE.VIR
Tue Jun 07 21:09:56 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\AQUATICADASHBAR_S_INST-1.EXE.VIR
Tue Jun 07 21:09:56 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\iiusmb.VIR
Tue Jun 07 21:09:56 2005 => File C:\Programme\AVPersonal\INFECTED\iiusmb.VIR infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
Tue Jun 07 21:09:56 2005 => Scanning File C:\Programme\AVPersonal\INFECTED\kuegfd.VIR
Tue Jun 07 21:09:56 2005 => File C:\Programme\AVPersonal\INFECTED\kuegfd.VIR infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
Tue Jun 07 21:43:38 2005 => Scanning Folder: C:\Programme\Virus Chaser\infected.!!!\*.*
Tue Jun 07 22:40:16 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Funde für "tagged"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Tue Jun 07 20:17:34 2005 => File C:\WINDOWS\Nail.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
Tue Jun 07 20:17:34 2005 => File C:\WINDOWS\NDNuninstall4_94.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
Tue Jun 07 20:17:35 2005 => File C:\WINDOWS\preInsMt.exe tagged as "not-a-virus:AdWare.BiSpy.q". Action Taken: No Action Taken.
Tue Jun 07 20:18:10 2005 => File C:\WINDOWS\system32\BO2802040113.dll tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
Tue Jun 07 20:18:11 2005 => File C:\WINDOWS\system32\BO2802040113.dlltmp tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
Tue Jun 07 20:20:40 2005 => File C:\WINDOWS\system32\SWRT01.dll tagged as "not-a-virus:AdWare.VirtualBouncer.g". Action Taken: No Action Taken.
Tue Jun 07 21:39:11 2005 => File C:\Programme\MyWay\myBar\1.bin\MY2NS.EXE tagged as "not-a-virus:AdWare.ToolBar.MyWay.b". Action Taken: No Action Taken.
Tue Jun 07 21:39:11 2005 => File C:\Programme\MyWay\myBar\1.bin\MYBAR.DLL tagged as "not-a-virus:AdWare.ToolBar.MyWay.g". Action Taken: No Action Taken.
Tue Jun 07 21:42:58 2005 => File C:\Programme\Support Software\SS2.DLL tagged as "not-a-virus:AdWare.MediaPops.a". Action Taken: No Action Taken.
Tue Jun 07 21:46:47 2005 => File C:\The Web\Downloads\DVD-Rip\DivX.5.Pro.Full.(Cracked).exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Tue Jun 07 21:46:48 2005 => File C:\The Web\Downloads\DVD-Rip\DivXPro502GAINBundle.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Tue Jun 07 21:47:20 2005 => File C:\The Web\Downloads\Get it Right Downloadmanager\getrt45d.exe tagged as "not-a-virus:AdWare.Gator.1050". Action Taken: No Action Taken.
Tue Jun 07 21:59:04 2005 => File C:\The Web\Downloads\Macromedia Studio Mx 2004\Macromedia_Studio_MX_2004_mit_Flash_Professional_German\Studio MX 2004\FSCOMMAND\Flash_Video_Exporter.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Tue Jun 07 22:02:01 2005 => File C:\The Web\Downloads\Wave to mp3-Converter\now installed\setupwavtomp3.exe tagged as "not-a-virus:AdWare.BargainBuddy.v". Action Taken: No Action Taken.
Tue Jun 07 22:23:25 2005 => File C:\WINDOWS\Nail.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
Tue Jun 07 22:23:25 2005 => File C:\WINDOWS\NDNuninstall4_94.exe tagged as "not-a-virus:AdWare.NewDotNet". Action Taken: No Action Taken.
Tue Jun 07 22:24:38 2005 => File C:\WINDOWS\preInsMt.exe tagged as "not-a-virus:AdWare.BiSpy.q". Action Taken: No Action Taken.
Tue Jun 07 22:31:14 2005 => File C:\WINDOWS\system32\BO2802040113.dll tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
Tue Jun 07 22:31:14 2005 => File C:\WINDOWS\system32\BO2802040113.dlltmp tagged as "not-a-virus:AdWare.VirtualBouncer.d". Action Taken: No Action Taken.
Tue Jun 07 22:37:14 2005 => File C:\WINDOWS\system32\SWRT01.dll tagged as "not-a-virus:AdWare.VirtualBouncer.g". Action Taken: No Action Taken.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Statistiken:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
Tue Jun 07 22:40:16 2005 => Total Virus(es) Found: 42
Tue Jun 07 22:40:16 2005 => Total Errors: 194
Tue Jun 07 22:40:16 2005 => Time Elapsed: 02:24:16
Tue Jun 07 22:40:16 2005 => Total Objects Scanned: 102270
Tue Jun 07 20:04:28 2005 => Virus Database Date: 2005/06/07
Tue Jun 07 20:13:19 2005 => Virus Database Date: 2005/06/07
Tue Jun 07 22:40:17 2005 => Virus Database Date: 2005/06/07
Tue Jun 07 23:39:51 2005 => Virus Database Date: 2005/06/07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~
~~~~~~~ © Haui ;-) ~~~~~~~
~~~~~~~ Dank an Cidre ~~~~~~~

Grüße,

Filou

Hallo,

leider ist noch keine Auswertung da. Würde mich sehr freuen, wenn ihr euch meinem Problem trotzdem noch annehmen würdet!

Filou